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Project  Description 


Develop  a  fully  automated  behavior-based  analysis  approach 
capable  of  accurate  suspicion  assessment  of  software  for  mobile 
devices. 


Expected  Outcomes 

•  Behavior  characteristics  usable  in  assessing  suspicion 

•  Efficient  data  collection  techniques 

•  Automated  app  analysis  with  user  interaction 

•  Suspicion  assessment  prototype  for  real  devices 

Impact  for  the  DoD:  identify  potential  malware  early  enough  to 
avoid  potential  damage  to  the  device.  Provide  fast  accurate 
suspicion  assessment  of  an  app  to  an  analyst 
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Behavior  Characteristics 


Identified  various  behaviors: 

•  Thread  creation 

•  Accessing  system  data  with  potential  PI  I 

•  Ingoing  and  outgoing  SMS 

•  TCP  connections 

•  Privilege  escalation 

•  Device  root 

Most  found  in  strace,  logcat,  and  network  data 

Mostly  occurs  within  a  few  seconds  of  main  activity  running 
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Analysis  Methodology  -  Approach 

•Strace  Android  APK 

•Convert  strace  to  graph 

•Apply  graph  kernel  for  similarity 
computation 

•Feed  similarity  to  SVM  fro  classification 
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Analysis  Methodology  -  Strace  Sample 
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Analysis  Methodology  -  Malware  infection  tree 
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Analysis  Methodology  -  Ordered  System  Call 
Graph 
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Analysis  Methodology  -  Unordered  System  Call 
Graph 
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Analysis  Framework  - 1 

Two  versions 

1.  analyze  Android  apps  with  interaction 

2.  and  without  interaction 

Both  run  in  Android  SDK  emulator  on  a  linux  VM. 

Without  interaction:  runs  the  main  activity  of  an  app  and  collects  the 
strace  for  3  minutes 

With  interaction: 

-  leverage  AppsPlayground  (William  Enck  NCSU)  for  interaction 

-  attempt  to  run  each  app  until  all  activities  visited 

-  collect  strace,  logcat,  network  information,  apk  and  signature  data 

-  can  run  up  to  30  minutes,  average  around  4  minutes  to  complete  all 
activities 
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Analysis  Framework  -  2 


-  web  based  GUI  created,  accessible  via  website  for  public  use. 

-  currently  have  13K  known  malicious  and  9K  known  benign  android 
apps. 

-  all  benign  apps  downloaded  from  Google  Play 

-  Current  analysis  results  are  positive  using  malware  infection  trees. 
-  with  no  interaction: 

-11800  malicious  and  7729  benign  android  app  samples 
(2009-2014) 

-27dimension  feature  vector  per  node  using  SVM 
-94%  detection  accuracy,  6.97%FN,  7.57%FP 
-  unordered  neighboring  combined  with  intersection  kernel 

-  machine  learning  done  by  Dr.  Cavazos’s  group  in  Udel. 
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Final  Thoughts 

-  Analysis  framework  accessible  via  web  gui 

-  94%  detection  accuracy  based  on  strace  file  analysis 

-  better  detection  than  most  major  anti-malware  engines 

-  Our  accuracy  is  far  better  than  other  anti-malware  with  newer  samples 

-  Majority  of  malicious  activity  occurs  in  first  2  seconds  of  execution 

-  Should  continue  to  improve  features  to  reduce  FN  and  FP 

-  Paper  being  submitted  to  IEEE  Security  and  Privacy 

Interested  in  knowing  more??? 

-  Jose  Andre  Morales,  Ph.D. 

-  jamorales@cert.org 
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Dr.  Jose  A.  Morales 
SEhCERT 

Email:  iamorale@sei.cmu.edu 

Joseph  Yankel 
SEhCERT 

Email:  idvankel@cert.orq 


U.S.  Mail 

Software  Engineering  Institute 
Customer  Relations 
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USA 

Customer  Relations 

Email:  info@sei.cmu.edu 
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